Stuxnet did not require a bootrom zero day. Just people's propensity to plug in USB devices out of curiosity.

You don't need the NSA to target someone and replace their device with a malware driven one. Just a porch pirate and your own delivery - two to three years and you're almost guaranteed an attack window.